Description
A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
Published: 2026-04-22
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Update
AI Analysis

Impact

A Time‑of‑Check to Time‑of‑Use flaw in the cp command of uutils coreutils allows an attacker to bypass the no‑dereference intent by replacing a regular file with a symbolic link between the verification step and the open operation. The utility checks for a symlink using path‑based metadata, then opens the target without the O_NOFOLLOW flag. An attacker who can write to the same location during the window can swap the file, causing a privileged copy process to read and write the contents of arbitrary sensitive files into an attacker‑controlled destination, exposing confidential data.

Affected Systems

The vulnerability affects the Uutils coreutils product, specifically the cp utility. No specific version numbers are provided in the advisory, so all releases that include cp may be vulnerable until a patch is released.

Risk and Exploitability

The CVSS score is 4.7, indicating a moderate severity. No EPSS score is available, so the exploit probability is unknown; the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector requires the attacker to have concurrent write access to the file or directory being copied and the ability to run the cp command with elevated privileges. Marked as a potential information‑disclosure risk, it is best to patch or mitigate promptly.

Generated by OpenCVE AI on April 22, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update uutils coreutils to the latest release once a fixed cp implementation is available.
  • Restrict write permissions on directories subject to cp operations so that only trusted users can modify files during copying.
  • Run cp under the lowest privilege level that satisfies the use case, avoiding root or other privileged contexts when possible.
  • If an updated binary is not available, employ a wrapper that opens source files with the O_NOFOLLOW flag or use the operating system’s cp command, which enforces the no‑dereference behavior.

Generated by OpenCVE AI on April 22, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A Time-of-Check to Time-of-Use (TOCTOU) vulnerability in the cp utility of uutils coreutils allows an attacker to bypass no-dereference intent. The utility checks if a source path is a symbolic link using path-based metadata but subsequently opens it without the O_NOFOLLOW flag. An attacker with concurrent write access can swap a regular file for a symbolic link during this window, causing a privileged cp process to copy the contents of arbitrary sensitive files into a destination controlled by the attacker.
Title uutils coreutils cp Information Disclosure via Time-of-Check to Time-of-Use Symlink Swap
Weaknesses CWE-367
CWE-59
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: canonical

Published:

Updated: 2026-04-22T17:50:54.548Z

Reserved: 2026-04-02T12:58:56.087Z

Link: CVE-2026-35359

cve-icon Vulnrichment

Updated: 2026-04-22T17:50:44.706Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-22T17:16:38.537

Modified: 2026-04-22T21:23:52.620

Link: CVE-2026-35359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T18:15:15Z

Weaknesses